BugTraq
Back to list
|
Post reply
Well known flaw in web cart software remains wide open
Nov 12 2002 06:44AM
whitehat2004 yahoo com
WhiteHat Security Advisory 1004
November 11, 2002
===================
Problem Description
===================
Vulnerable web shopping cart software passes prices between web pages
using hidden form fields. What this means is that every time a customer
adds something to their shopping cart, the cart checks HTTP-POSTed data
coming from the CUSTOMER computer to determine the price. The problem is
that the user can alter this data before sending it to your web server,
allowing the user to set the price of his or her choice.
This hack is already widely known in the WhiteHat and BlackHat
communities. I hope to spread awareness to those site owners who are
trusting their stores to faulty software.
===================
HOW THIS HACK WORKS
===================
Visit some vulnerable site and look at a set of expensive "FooBars".
Install an simple IE plugin that allows you to edit HTTP POST data before
submission and then change the hidden form field containing the price of
the FooBars from $575 to $10.
Now, send the edited data and look at the confirmation page.
======
Impact
======
Malicious users may set their own prices at any site using vulnerable
cart software. If prices are not hand-verified, vulnerable sites lose
revenue.
=====================================
Mitigating Factors / Vendor Snake Oil
=====================================
1> Some vendors think it is sufficent to change from HTTP GET requests to
HTTP POSTs.
Insufficent. Handcrafted-HTTP requests using PERL, C++, etc allow the
user to fake a post.
2> Checking HTTP Referer (http://www.cart32.com/kbshow.asp?article=C051)
Insufficent. HTTP Referer is a header sent FROM the client and thus
should not be trusted. User can either fake header or use a trivial IE
plugin which allows on-the-fly POST editing. Writing such a plugin took
the author 5 hours. The widely available test proxy known as Achilles
can also execute this attack.
=======================================
Vendors Affected and Notification Dates
=======================================
JustAddCommerce - Notified July 15
Cart32 - Notified July 8
Approximately 50% of the hand-coded carts tested - Notified at
assorted dates/times
Related note [1]: PayPal does not claim that its donations are secure,
and thus I do not consider them vulnerable. Prices are passed in URL.
https://www.paypal.com/cgi-bin/webscr?amount=9.99&return=http%
3A//www.thisistrue.com/thanks.html&item_name=Whatever
Related note [2]: A number of vendors have protected their item price
data, but not their shipping charge data. When submitting a shipping
charge of -40, the user receives a $40 discount on their order.
=====================
Where to go from here
=====================
Find out if you are vulnerable. Review your code or your HTTP traffic to
determine where the prices are coming from.
If you find you are vulnerable:
1> Immediately begin verifying orders and prices.
2> Call your vendor and request a patch
3> Read the Web Security section of "Writing Secure Code" or similar to
figure out how to fix this class of vulnerability.
===========================
How to prevent this problem
===========================
Cart software should NEVER trust ANY data coming from the client. This
includes HTTP Headers. If the cart must rely on HTTP POSTed data, it
should be delivered in a cryptographically secure manner.
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
WhiteHat Security Advisory 1004
November 11, 2002
===================
Problem Description
===================
Vulnerable web shopping cart software passes prices between web pages
using hidden form fields. What this means is that every time a customer
adds something to their shopping cart, the cart checks HTTP-POSTed data
coming from the CUSTOMER computer to determine the price. The problem is
that the user can alter this data before sending it to your web server,
allowing the user to set the price of his or her choice.
This hack is already widely known in the WhiteHat and BlackHat
communities. I hope to spread awareness to those site owners who are
trusting their stores to faulty software.
===================
HOW THIS HACK WORKS
===================
Visit some vulnerable site and look at a set of expensive "FooBars".
Install an simple IE plugin that allows you to edit HTTP POST data before
submission and then change the hidden form field containing the price of
the FooBars from $575 to $10.
Now, send the edited data and look at the confirmation page.
======
Impact
======
Malicious users may set their own prices at any site using vulnerable
cart software. If prices are not hand-verified, vulnerable sites lose
revenue.
=====================================
Mitigating Factors / Vendor Snake Oil
=====================================
1> Some vendors think it is sufficent to change from HTTP GET requests to
HTTP POSTs.
Insufficent. Handcrafted-HTTP requests using PERL, C++, etc allow the
user to fake a post.
2> Checking HTTP Referer (http://www.cart32.com/kbshow.asp?article=C051)
Insufficent. HTTP Referer is a header sent FROM the client and thus
should not be trusted. User can either fake header or use a trivial IE
plugin which allows on-the-fly POST editing. Writing such a plugin took
the author 5 hours. The widely available test proxy known as Achilles
can also execute this attack.
=======================================
Vendors Affected and Notification Dates
=======================================
JustAddCommerce - Notified July 15
Cart32 - Notified July 8
Approximately 50% of the hand-coded carts tested - Notified at
assorted dates/times
Related note [1]: PayPal does not claim that its donations are secure,
and thus I do not consider them vulnerable. Prices are passed in URL.
https://www.paypal.com/cgi-bin/webscr?amount=9.99&return=http%
3A//www.thisistrue.com/thanks.html&item_name=Whatever
Related note [2]: A number of vendors have protected their item price
data, but not their shipping charge data. When submitting a shipping
charge of -40, the user receives a $40 discount on their order.
=====================
Where to go from here
=====================
Find out if you are vulnerable. Review your code or your HTTP traffic to
determine where the prices are coming from.
If you find you are vulnerable:
1> Immediately begin verifying orders and prices.
2> Call your vendor and request a patch
3> Read the Web Security section of "Writing Secure Code" or similar to
figure out how to fix this class of vulnerability.
===========================
How to prevent this problem
===========================
Cart software should NEVER trust ANY data coming from the client. This
includes HTTP Headers. If the cart must rely on HTTP POSTed data, it
should be delivered in a cryptographically secure manner.
[ reply ]